The Official Radare2 Book | страница 88

0x10000389c hit1_10 90

0x100003c5c hit1_11 90

[0x100001200]> /bx 90

[0x100001200]> s 0x10000355b

[0x10000355b]> /bx 90

0x100003468 hit3_0 90

0x100003454 hit3_1 90

0x1000032b8 hit3_2 90

0x100002b2e hit3_3 90

0x1000027b2 hit3_4 90

0x10000248f hit3_5 90

0x100001a23 hit3_6 90

[0x10000355b]>

If you want to search for a certain assembler opcodes, you can use /a commands.

The command /ad/ jmp [esp] searches for the specified category of assembly mnemonic:

[0x00404888]> /ad/ jmp qword [rdx]

f hit_0 @ 0x0040e50d # 2: jmp qword [rdx]

f hit_1 @ 0x00418dbb # 2: jmp qword [rdx]

f hit_2 @ 0x00418fcb # 3: jmp qword [rdx]

f hit_3 @ 0x004196ab # 6: jmp qword [rdx]

f hit_4 @ 0x00419bf3 # 3: jmp qword [rdx]

f hit_5 @ 0x00419c1b # 3: jmp qword [rdx]

f hit_6 @ 0x00419c43 # 3: jmp qword [rdx]

The command /a jmp eax assembles a string to machine code, and then searches for the resulting bytes:

[0x00404888]> /a jmp eax

hits: 1

0x004048e7 hit3_0 ffe00f1f8000000000b8

Thanks to Victor Muñoz, radare2 now has support of the algorithm he developed, capable of finding expanded AES keys with /Ca command. It searches from current seek position up to the search.distance limit, or until end of file is reached. You can interrupt current search by pressing Ctrl-C. For example, to look for AES keys in physical memory of your system:

$ sudo r2 /dev/mem

[0x00000000]> /ca

0 AES keys found

If you are simply looking for plaintext AES keys in your binary, /Ca will not find them, but you might want to search with is~AES instead if the programmer left those hints for you:

[0x00000000]> /Ca

Searching 0 byte in [0x100000-0x1f0000]

hits: 0

Searching 0 byte in [0x196e4-0x1b91c]

hits: 0

Searching 0 byte in [0x194b4-0x196e4]

hits: 0

Searching 0 byte in [0x8000-0x114b4]

hits: 0

[0x00000000]> is~AES

010 0x000096d4 0x000196d4 GLOBAL OBJ 16 AES_KEY

Other than that, AES keys might show up in different ways in the binary: encrypted, hidden by another encrypting routine, so there's no absolute way other than understanding the binary being analized. For instance, p=e might give some hints if high(er) entropy sections are found trying to cover up a hardcoded secret. As an example on entropy searching, since radare 3.2.0, there's the possibility to delimit entropy sections for later use like so:

[0x00000000]> b

0x100

[0x00000000]> b 4096

[0x00000000]> /s

0x00100000 - 0x00101000 ~ 5.556094

0x014e2c88 - 0x014e3c88 ~ 0.000000